Vulnerabilities > CVE-2017-15131

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
freedesktop
redhat
nessus
NVD
Published: 2018-01-09
Updated: 2024-11-21

Summary

It was found that system umask policy is not being honored when creating XDG user directories, since Xsession sources xdg-user-dirs.sh before setting umask policy. This only affects xdg-user-dirs before 0.15.5 as shipped with Red Hat Enterprise Linux.

Vulnerable Configurations

Part Description Count
Application
Freedesktop
16
OS
Redhat
1

Nessus

  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0026_XDG-USER-DIRS.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has xdg-user-dirs packages installed that are affected by a vulnerability: - It was found that the system umask policy is not being honored when creating XDG user directories (~/Desktop etc) on first login. This could lead to user
    last seen2020-06-01
    modified2020-06-02
    plugin id127188
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127188
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : xdg-user-dirs Vulnerability (NS-SA-2019-0026)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1024.NASL
    descriptionAccording to the version of the xdg-user-dirs package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was found that the system umask policy is not being honored when creating XDG user directories (~/Desktop etc) on first login. This could lead to user
    last seen2020-05-06
    modified2018-01-19
    plugin id106165
    published2018-01-19
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106165
    titleEulerOS 2.0 SP1 : xdg-user-dirs (EulerOS-SA-2018-1024)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2018-1030.NASL
    descriptionIt was found that the system umask policy is not being honored when creating XDG user directories (~/Desktop etc) on first login. This could lead to user
    last seen2020-06-01
    modified2020-06-02
    plugin id110447
    published2018-06-12
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110447
    titleAmazon Linux 2 : xdg-user-dirs (ALAS-2018-1030)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20180410_XDG_USER_DIRS_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - xdg-user-dirs, gnome-session: Xsession creation of XDG user directories does not honor system umask policy (CVE-2017-15131) Additional Changes :
    last seen2020-03-18
    modified2018-05-01
    plugin id109459
    published2018-05-01
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109459
    titleScientific Linux Security Update : xdg-user-dirs on SL7.x x86_64 (20180410)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-0842.NASL
    descriptionFrom Red Hat Security Advisory 2018:0842 : An update for xdg-user-dirs is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. xdg-user-dirs is a tool to create and configure default desktop user directories such as the Music and the Desktop directories. Security Fix(es) : * xdg-user-dirs, gnome-session: Xsession creation of XDG user directories does not honor system umask policy (CVE-2017-15131) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109107
    published2018-04-18
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109107
    titleOracle Linux 7 : xdg-user-dirs (ELSA-2018-0842)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-0842.NASL
    descriptionAn update for xdg-user-dirs is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. xdg-user-dirs is a tool to create and configure default desktop user directories such as the Music and the Desktop directories. Security Fix(es) : * xdg-user-dirs, gnome-session: Xsession creation of XDG user directories does not honor system umask policy (CVE-2017-15131) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id108987
    published2018-04-11
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108987
    titleRHEL 7 : xdg-user-dirs (RHSA-2018:0842)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-0842.NASL
    descriptionAn update for xdg-user-dirs is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. xdg-user-dirs is a tool to create and configure default desktop user directories such as the Music and the Desktop directories. Security Fix(es) : * xdg-user-dirs, gnome-session: Xsession creation of XDG user directories does not honor system umask policy (CVE-2017-15131) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109373
    published2018-04-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109373
    titleCentOS 7 : xdg-user-dirs (CESA-2018:0842)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1025.NASL
    descriptionAccording to the version of the xdg-user-dirs package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was found that the system umask policy is not being honored when creating XDG user directories (~/Desktop etc) on first login. This could lead to user
    last seen2020-05-06
    modified2018-01-19
    plugin id106166
    published2018-01-19
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106166
    titleEulerOS 2.0 SP2 : xdg-user-dirs (EulerOS-SA-2018-1025)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1181.NASL
    descriptionAccording to the version of the xdg-user-dirs package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was found that the system umask policy is not being honored when creating XDG user directories (~/Desktop etc) on first login. This could lead to user
    last seen2020-05-06
    modified2018-07-03
    plugin id110845
    published2018-07-03
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110845
    titleEulerOS 2.0 SP3 : xdg-user-dirs (EulerOS-SA-2018-1181)

Redhat

advisories
bugzilla
id1455094
titleCVE-2017-15131 xdg-user-dirs, gnome-session: Xsession creation of XDG user directories does not honor system umask policy
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • commentxdg-user-dirs is earlier than 0:0.15-5.el7
      ovaloval:com.redhat.rhsa:tst:20180842001
    • commentxdg-user-dirs is signed with Red Hat redhatrelease2 key
      ovaloval:com.redhat.rhsa:tst:20180842002
rhsa
idRHSA-2018:0842
released2018-04-10
severityLow
titleRHSA-2018:0842: xdg-user-dirs security and bug fix update (Low)
rpms
  • xdg-user-dirs-0:0.15-5.el7
  • xdg-user-dirs-debuginfo-0:0.15-5.el7

References